Description
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-08-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated file deletion potentially leading to remote code execution
Action: Immediate Patch
AI Analysis

Impact

The Redirection for Contact Form 7 plugin for WordPress contains a flaw in its delete_associated_files function that does not properly validate file paths. This flaw allows an attacker who can reach the plugin’s interface to delete any file on the server. Removal of critical files such as wp-config.php can provide an attacker with the ability to gain remote code execution or compromise the site’s integrity and availability. The weakness is identified as an arbitrary file deletion vulnerability (CWE-22).

Affected Systems

This problem exists in all releases of the Redirection for Contact Form 7 plugin up to version 3.2.4. The affected product is the WordPress plugin Redirection for Contact Form 7 distributed by Themeisle. Users running any of these versions on a WordPress site are at risk.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability is considered high severity, although the EPSS score indicates a very low current exploitation likelihood (<1%). It is not listed in the CISA KEV catalog. The attack can be carried out by any unauthenticated user who can invoke the delete_associated_files routine, making the threat human‑friendly. Once the attacker deletes a file that is subsequently loaded by the server, remote code execution can be achieved without needing further access or credentials. Because the vulnerability does not require any advanced conditions, the risk to affected sites is considerable should an attacker locate a way to trigger the deletion endpoint.

Generated by OpenCVE AI on April 20, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Redirection for Contact Form 7 plugin to the latest available version (3.2.5 or newer) to eliminate the deletion flaw
  • If an immediate upgrade is not possible, remove the delete_associated_files functionality by deleting the file-wrapping code or disabling the plugin altogether
  • Apply stricter file system permissions to prevent deletion of critical WordPress configuration files

Generated by OpenCVE AI on April 20, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28791 The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:28.152Z

Reserved: 2025-07-24T16:21:17.311Z

Link: CVE-2025-8141

cve-icon Vulnrichment

Updated: 2025-08-20T13:56:58.249Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T03:15:35.640

Modified: 2026-06-17T10:06:23.183

Link: CVE-2025-8141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')